Fix missing flow through super calls

asgerf · asgerf · commit 81af9a1658a1 · 2024-10-22T12:46:17.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/dataflow/internal/DataFlowPrivate.qll b/javascript/ql/lib/semmle/javascript/dataflow/internal/DataFlowPrivate.qll
@@ -470,6 +470,9 @@ private predicate isArgumentNodeImpl(Node n, DataFlowCall call, ArgumentPosition
   or
   pos.isThis() and n = TNewCallThisArgument(call.asOrdinaryCall().asExpr())
   or
+  pos.isThis() and
+  n = TImplicitThisUse(call.asOrdinaryCall().asExpr().(SuperCall).getCallee(), false)
+  or
   // receiver of accessor call
   pos.isThis() and n = call.asAccessorCall().getBase()
   or
diff --git a/javascript/ql/test/library-tests/TripleDot/useuse.js b/javascript/ql/test/library-tests/TripleDot/useuse.js
@@ -94,3 +94,20 @@ function t6() {
     sink(c.y); // $ hasValueFlow=t6.2
     c.methodLike();
 }
+
+function t7() {
+    class Base {
+        constructor(x) {
+            this.field = x;
+            sink(this.field); // $ hasTaintFlow=t7.1
+        }
+    }
+    class Sub extends Base {
+        constructor(x) {
+            super(x + '!');
+            sink(this.field); // $ hasTaintFlow=t7.1
+        }
+    }
+    const c = new Sub(source('t7.1'));
+    sink(c.field); // $ hasTaintFlow=t7.1
+}
